Multi-factor authentication

Admin tools ::: tool_mfa
Maintained by Catalyst IT, Brendan Heywood, Peter Burnett, Mikhail Golenkov
This is a Moodle plugin which adds Multi-Factor authentication (MFA), also known as Two-factor authentication (2FA) on top of your existing chosen authentication plugins.
Latest release:
941 sites
26 fans
Current versions available: 1

This is a Moodle plugin which adds Multi-Factor authentication (MFA), also known as Two-factor authentication (2FA) on top of your existing chosen authentication plugins.

Why another MFA plugin for Moodle?

There are other 2FA plugins for moodle such as:

This one is different because it is NOT a Moodle authentication plugin. It leverages new API's that Catalyst specifically implemented in Moodle Core to enable plugins to augment the login process instead of replacing it. This means that this MFA plugin can be added on top of any other authentication plugin resulting in a much cleaner architecture, and it means you can compose a solution that does everything you need instead of compromising by swapping out the entire login flow.

See this tracker and the dev docs for more info:

The other major difference is that we support multiple authentication factor types as sub plugins, eg IP Range, Email, TOPT and in future others such as SMS or hardware tokens or anything else as new sub-plugins. They can be flexible configured so that different combinations of factors are considered enough.

Flexible Configuration

The MFA has multiple sub-plugins for each type of factor. Different factors can be combined and checked in a specific order. See the plugin readme for the full details:

For more information, consult the readme:


Screenshot #0
Screenshot #1
Screenshot #2
Screenshot #3
Screenshot #4
Screenshot #5


Catalyst IT (Lead maintainer)
Brendan Heywood: Solutions Architect
Peter Burnett: Developer
Mikhail Golenkov: Developer
Please login to view contributors details and/or to contact them

Comments RSS

Show comments
  • Wed, Oct 26, 2022, 4:28 PM
    @Peter Burnett
    Thank you for your response!
  • Wed, Oct 26, 2022, 9:21 PM
    Running fine under 4.04. smile
    Another question: Is there a method to give a priority between several methods all set to 100?
    E.g. mail and TOTP-methods active, but I prefer the TOTP and want mail only as backup? How would I tell Moodle in this case that my portable is low on batt ;) ?
  • Thu, Oct 27, 2022, 7:50 AM
    Hi @Hanspeter Rutschmann, this is what the ordering concept of the factors is designed to do. The table of factors is ordered, and users will be presented with factors from the top down. If TOTP and mail are both active, and TOTP is above mail in the table, then TOTP will be presented first. Users can then click the 'I dont have my code' button to skip the factor and move onwards to mail.
  • Thu, Oct 27, 2022, 12:59 PM
    Thanks @Peter Burnett!
    Fully understood - but: Stupid me is unable to find the "table of factors". Please enlighten! smile
  • Wed, Nov 9, 2022, 7:49 AM
    Hi, i was wondering if there was any way to adjust the verification request page, to change the message and buttons when asking for the verification code?
  • Sun, Nov 27, 2022, 1:19 AM
    I really love tool:mfa. Thanks very much for it.
    Now my question, I am trying to develop a subplugin (a factor) that enables user login if connnection attempt comes from same IP of last succesful login. My way of implementing that is based on a observer listening to event 'core\event\user_loggedin' and I try to declare observer in /admin/tool/mfa/factor/mynewfactor/db/events.php but apparently Moodle ignores that. am I right if I suppose that db-events scheme doesn´t work for factor subplugins?
    Thanks again very much in advance,
    luis (from sunny Spain)
  • Fri, Jan 27, 2023, 9:27 PM
    How can a user get QR code for app authentication factor? Once I enable app auth factor, it is in user's preferences, but user can't login to get to his preferences page. If I disable app auth factor and let user login to the system again, he doesn't have app authentication options in his profile so he can't get the QR code. Is administrator supposed to login as each user, copy the QR code and send it to each user? That would be rediculous so I'm gessing I must be missing something?
  • Mon, Jan 30, 2023, 7:17 AM
    @Zoran Jančić this is where the gracemode factor comes into play. You can configure gracemode as an additional factor, and it will provide users a method to authenticate for 14 days (by default), so they can login and setup their QR code TOTP authentication.

    @j. luis simon I recommend implementing this instead as a callback using $factor->post_pass_state() method, and override this method in the new factor class. It is invoked every time authentication passes, so you can use this to store the IP of the user, which can be used in comparison at next lookup. I would be really careful with IP in general, there are many many conditions that can make IP change between requests (proxy, ISP etc)

    @Peter Kelly Currently there is no way to override this by default, however you could change the language strings in a custom language pack, or override it in your site theme.

    @Hanspeter Rutschmann The table lives here /admin/settings.php?section=managemfa
  • Fri, Feb 17, 2023, 1:28 AM
    Dear developers, I'm planning to use the plugin. One question: can it be set up to have 2FA for certain level users or the settings will be applied to all users? What I mean is that I'd like to have admins / teachers to go through 2FA, but not the students or parents. Is this possible?
  • Mon, Feb 20, 2023, 7:24 AM
    Hi Yusif,

    It looks like user filtering factors is what you need. You can target your admins / teachers by their auth type, roles, capabilities. Please refer to plugin docs:

    Kind regards,
  • Mon, Mar 27, 2023, 4:15 PM
    I installed this plugin on 2 test systems with Moodle 4.1.x under RHEL 8 & 7 and its absolutely phantastic. I have now taken it into production.
    The only thing that I found a bit puzzling in the start was parts of the documentation.
    1. Do NOT enter any settings in the configuration dialog when installing. You are not logged inn yet and you may lock yourself out. (This is written at the bottom of the README on git hub).
    2. To access the configuration dialog, go to "System administration", tab "Plugins", section "Admin tools", item "Multi-factor authentication".
    3. The user's QR code is found under the user's profile (icon on top right of Moodle window), "Preferences", "Multi-factor authentication preferences"
    That's it.
    Everything else works like a charm. Good help texts for the users. Works very well. Highly recommended.

  • Tue, Mar 28, 2023, 3:42 PM

    Is it possible to make your plugin work with microsoft's Authenticator app?

    Kind regards
  • Tue, May 16, 2023, 6:14 PM
    Would this work in workplace at a tenant level?
  • Tue, May 16, 2023, 6:16 PM
    Hi Rémi,

    Yes the application works with Microsoft authenticator, in TOTP mode via a QR code.
  • Tue, May 16, 2023, 6:17 PM

    Its not currently tenancy aware. We have had some passing interest in getting it there, but we haven't had a sponsor or the time to put towards it currently.
1 2 3 4
Please login to post comments